CVE-2012-1108 : The parse function in ogg/xiphcomment.cpp in TagLib 1.7 and earlier allows remote attackers to cause a denial of service

The parse function in ogg/xiphcomment.cpp in TagLib 1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted vendorLength field in an ogg file.

Published 2012-09-06 18:55:01

Updated 2017-08-29 01:31:12

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationDenial of service

Exploit prediction scoring system (EPSS) score for CVE-2012-1108

Probability of exploitation activity in the next 30 days: 1.36%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-1108

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2012-1108

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-1108

http://mail.kde.org/pipermail/taglib-devel/2012-March/002186.html

multiple security vulnerabilities in taglib

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/73665

TagLib parse() denial of service CVE-2012-1108 Vulnerability Report
http://www.openwall.com/lists/oss-security/2012/03/05/19

oss-security - Re: CVE-Request taglib vulnerabilities

CVEs referencing this url
http://www.securityfocus.com/bid/52284

taglib Buffer Overflow and Divide-By-Zero Denial of Service Vulnerabilities

CVEs referencing this url
http://mail.kde.org/pipermail/taglib-devel/2012-March/002191.html

multiple security vulnerabilities in taglib

CVEs referencing this url
https://github.com/taglib/taglib/commit/b3646a07348ffa276ea41a9dae03ddc63ea6c532

Be more careful when parsing Vorbis Comments · taglib/taglib@b3646a0 · GitHub
Exploit;Patch
http://www.gentoo.org/security/en/glsa/glsa-201206-16.xml

TagLib: Multiple vulnerabilities (GLSA 201206-16) — Gentoo security

CVEs referencing this url

Products affected by CVE-2012-1108

Scott Wheeler » Taglib
Versions up to, including, (<=) 1.7
cpe:2.3:a:scott_wheeler:taglib:*:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.6
cpe:2.3:a:scott_wheeler:taglib:1.6:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.3.1
cpe:2.3:a:scott_wheeler:taglib:1.3.1:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.0
cpe:2.3:a:scott_wheeler:taglib:1.0:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.1
cpe:2.3:a:scott_wheeler:taglib:1.1:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.4
cpe:2.3:a:scott_wheeler:taglib:1.4:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.2
cpe:2.3:a:scott_wheeler:taglib:1.2:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.6.2
cpe:2.3:a:scott_wheeler:taglib:1.6.2:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.5
cpe:2.3:a:scott_wheeler:taglib:1.5:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.6.3
cpe:2.3:a:scott_wheeler:taglib:1.6.3:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.6.1
cpe:2.3:a:scott_wheeler:taglib:1.6.1:*:*:*:*:*:*:*
Matching versions
Scott Wheeler » Taglib » Version: 1.3
cpe:2.3:a:scott_wheeler:taglib:1.3:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2012-1108

Exploit prediction scoring system (EPSS) score for CVE-2012-1108

CVSS scores for CVE-2012-1108

CWE ids for CVE-2012-1108

References for CVE-2012-1108

Products affected by CVE-2012-1108